cb58ad2c3ea77e4cc76aa026c0f9ef2b4999d445b5f07ddf722dde04e3db8c3e

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Size

197KB
MD5

e14a2135f733866986d32067555d385d
SHA1

bb6adda52ba3824dd5a94fc4e58327c5a10cc187
SHA256

cb58ad2c3ea77e4cc76aa026c0f9ef2b4999d445b5f07ddf722dde04e3db8c3e
SHA512

f5cb106b2a654e9b1815cb58736f3dd9f7568b6c4c0c3f630d5f2228e6d434df4df24b52eb708fef51d65353cdabb40b5a7fbefd67203ec641a27a85dd4b89f6
SSDEEP

3072:jEGh0oNl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGPlEeKcAEca

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}\stubpath = "C:\\Windows\\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe"	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}	{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}	{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}\stubpath = "C:\\Windows\\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe"	{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}\stubpath = "C:\\Windows\\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe"	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD718B92-3488-4158-85A3-8AEF1313AC89}\stubpath = "C:\\Windows\\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe"	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3334E825-9625-4409-BF03-BFBB385C52EC}	{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}\stubpath = "C:\\Windows\\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe"	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}\stubpath = "C:\\Windows\\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe"	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}\stubpath = "C:\\Windows\\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe"	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}\stubpath = "C:\\Windows\\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe"	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD718B92-3488-4158-85A3-8AEF1313AC89}	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}\stubpath = "C:\\Windows\\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe"	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3334E825-9625-4409-BF03-BFBB385C52EC}\stubpath = "C:\\Windows\\{3334E825-9625-4409-BF03-BFBB385C52EC}.exe"	{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}\stubpath = "C:\\Windows\\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe"	{3334E825-9625-4409-BF03-BFBB385C52EC}.exe

Deletes itself 1 IoCs

pid	Process
2204	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
3040	{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
2248	{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
1560	{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe
2308	{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
File created	C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
File created	C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
File created	C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
File created	C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
File created	C:\Windows\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe	{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
File created	C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
File created	C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
File created	C:\Windows\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
File created	C:\Windows\{3334E825-9625-4409-BF03-BFBB385C52EC}.exe	{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
File created	C:\Windows\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe	{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
Token: SeIncBasePriorityPrivilege	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
Token: SeIncBasePriorityPrivilege	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
Token: SeIncBasePriorityPrivilege	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
Token: SeIncBasePriorityPrivilege	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
Token: SeIncBasePriorityPrivilege	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
Token: SeIncBasePriorityPrivilege	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
Token: SeIncBasePriorityPrivilege	3040	{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
Token: SeIncBasePriorityPrivilege	2248	{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
Token: SeIncBasePriorityPrivilege	1560	{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1820	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	29
PID 1088 wrote to memory of 1820	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	29
PID 1088 wrote to memory of 1820	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	29
PID 1088 wrote to memory of 1820	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	29
PID 1088 wrote to memory of 2204	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	30
PID 1088 wrote to memory of 2204	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	30
PID 1088 wrote to memory of 2204	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	30
PID 1088 wrote to memory of 2204	1088	2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe	30
PID 1820 wrote to memory of 2820	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 1820 wrote to memory of 2820	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 1820 wrote to memory of 2820	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 1820 wrote to memory of 2820	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	31
PID 1820 wrote to memory of 2868	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 1820 wrote to memory of 2868	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 1820 wrote to memory of 2868	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 1820 wrote to memory of 2868	1820	{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe	32
PID 2820 wrote to memory of 2624	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2820 wrote to memory of 2624	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2820 wrote to memory of 2624	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2820 wrote to memory of 2624	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	33
PID 2820 wrote to memory of 2616	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2820 wrote to memory of 2616	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2820 wrote to memory of 2616	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2820 wrote to memory of 2616	2820	{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe	34
PID 2624 wrote to memory of 2852	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2624 wrote to memory of 2852	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2624 wrote to memory of 2852	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2624 wrote to memory of 2852	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	35
PID 2624 wrote to memory of 2584	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2624 wrote to memory of 2584	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2624 wrote to memory of 2584	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2624 wrote to memory of 2584	2624	{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe	36
PID 2852 wrote to memory of 2640	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2852 wrote to memory of 2640	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2852 wrote to memory of 2640	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2852 wrote to memory of 2640	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	37
PID 2852 wrote to memory of 3024	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2852 wrote to memory of 3024	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2852 wrote to memory of 3024	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2852 wrote to memory of 3024	2852	{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe	38
PID 2640 wrote to memory of 2192	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2640 wrote to memory of 2192	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2640 wrote to memory of 2192	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2640 wrote to memory of 2192	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	39
PID 2640 wrote to memory of 1636	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2640 wrote to memory of 1636	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2640 wrote to memory of 1636	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2640 wrote to memory of 1636	2640	{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe	40
PID 2192 wrote to memory of 2528	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2192 wrote to memory of 2528	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2192 wrote to memory of 2528	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2192 wrote to memory of 2528	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	41
PID 2192 wrote to memory of 2292	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2192 wrote to memory of 2292	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2192 wrote to memory of 2292	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2192 wrote to memory of 2292	2192	{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe	42
PID 2528 wrote to memory of 3040	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 2528 wrote to memory of 3040	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 2528 wrote to memory of 3040	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 2528 wrote to memory of 3040	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	43
PID 2528 wrote to memory of 1216	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44
PID 2528 wrote to memory of 1216	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44
PID 2528 wrote to memory of 1216	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44
PID 2528 wrote to memory of 1216	2528	{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_e14a2135f733866986d32067555d385d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
  C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
    C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
      C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
        
        C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
        
        C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
        
        C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
        
        C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
        
        C:\Windows\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
        
        C:\Windows\{3334E825-9625-4409-BF03-BFBB385C52EC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe
        
        C:\Windows\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe
        
        C:\Windows\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3CA~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3334E~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D15B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD718~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DFA4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B161~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5FF6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45D6A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6E8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5F556~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3334E825-9625-4409-BF03-BFBB385C52EC}.exe

Filesize
197KB

MD5
6e1fa6c04778975047d290c0b2e4c6a9

SHA1
fa9e92e30487f3a1b55d43ffcb184def42bc4c9b

SHA256
e80900b57bc0af769888a3fe3d769a168537ec194a34898857e014239a2fa79f

SHA512
6b4389a09fd35ca6003f9b078ccefadaefdb9b7948f551ff36dabef8fc075449df30765ffed14b8236482f107949995bced565934742d57a6ae8fb2c6f492a3c

Download Submit
C:\Windows\{45D6A142-6B4B-40ab-97EE-29C9FCC1FB5E}.exe

Filesize
197KB

MD5
f9e2fd676e398832a6f1a2fdaf77c65e

SHA1
b058bb49395ea7389dc9e6863a7316644665f984

SHA256
feb68607db05affbcd5771e1bc51f01a188ddb6eff852e5b2d1570c21bb466e8

SHA512
aa63b3805707b8945f813fea210657570d37c3f8802a45d25daf04d2ed1fdfb7c7ae2b6f206e5b4d7183d321c5c93f4bacbc487e44deb1306b3b0c2e6fef5f57

Download Submit
C:\Windows\{5F55691B-FDE1-4bda-97CC-A05FA68344C4}.exe

Filesize
197KB

MD5
bed74bd1757bb4d423c898af7a0c3384

SHA1
1f08b9a278f3bb31590204283cbe6e664c32932e

SHA256
db6b1325614befdf1521c7be99d9b69c38d7bed8d2f8ea89d07f3ef7bc882f40

SHA512
19124a5ad6f8da2827dc00399be06ada468c85259ecbde3c64bde9aa860d631318c9c124b0acc9da01960e8dfbb70e9bf59bf69f0212b1108f067c4043678df8

Download Submit
C:\Windows\{7D15B9EB-2E09-4ff6-B0BF-5D5BFD49281D}.exe

Filesize
197KB

MD5
8990716f9c267e55c719eb51e1226391

SHA1
674ac8cef4d8f36f45be34a93215878928b3ba7d

SHA256
2ea6a37fccc7b1e0ac711e5b8f21328db6c0859f4cd3999fd9039b734f13650f

SHA512
32f7775a7803871ea927a6156d575c8a987fed1077e4c5e5043d12e990bf711689c70dc2a2f80dbcb11f485a8be586d4afeda010bd387a5297a04b1205864f0b

Download Submit
C:\Windows\{8B1612EE-9C7E-4713-98FC-D07790AAC0CF}.exe

Filesize
197KB

MD5
c5e26da06524efd2eb45fe9de47d8dc9

SHA1
c0a48e82e986b8b8b11a452e7d176ca960c9deb2

SHA256
17e6f56565ab95acf7869526161d651e677d6f8f131321fbfd39dcb0b8b0c564

SHA512
16b07e87db0906a6d1ad191853f1a1ee6d84b0999084c7696caab902de45187939727d3dced55f2e1dda0bfddf4ee2bf0d124ffde3ddb4e5ab5eeab7ac2bb5e2

Download Submit
C:\Windows\{9DFA48CC-D070-4a50-BBB0-CBE2A04E28C9}.exe

Filesize
197KB

MD5
8f66e7820c36a42a061ad9c755397234

SHA1
12b0ff70bdbf81a02507280c272232d04b1850ad

SHA256
fe3ce3674ef372e1e86d11f9b8e1b8a0eba2f1f388320e4835f1b8f20e960008

SHA512
6db8b33ac32040e30343c20ea890626b5769094cf765b9a0add409e88396ca942ab6a74943684891eefca465b40576e77b1533a2c98254f8cc40c7959201a991

Download Submit
C:\Windows\{9F2E691D-6E76-4cec-BF6F-D746B0CE53A3}.exe

Filesize
197KB

MD5
9f406c1646e0eea76cb892341641a1af

SHA1
035d85cb90e407fa080024d493e8796f2f895af0

SHA256
4c8df6ed180fc19001eacfcecd4501c2a18ea90e4be0baad7bbfe0da68dd43ea

SHA512
5efe5ec3bc2bb38fe74037612264dee2a265d8e5d8ec4e2c8d58389b906ea1fa27ad35dd52de7a7c88a1ef36f7450c64fb8261c9d1e7d7f3989ef995ec2dad0e

Download Submit
C:\Windows\{D5FF6099-DF6F-4285-9919-73C1BD27D5DC}.exe

Filesize
197KB

MD5
63fab8d9a174cc2d0677d2914fe14dda

SHA1
ba6bc6d76e842d4a22bcd6cf405e61c0dc503da3

SHA256
33e951804ec15886ebc520a60becc34ce6236be75f4fbbe20243f574033727ec

SHA512
1efdae1506e80d47e2f47e8bfddc51f6621c10e6a77310fbe0fbaf487b98da0611875b33b0cd93a904c88cbae8bd03bd5e0721d27f906541aa5edf41fdbd8ed5

Download Submit
C:\Windows\{DF3CAE05-F643-4b94-9FD4-32BEFD48008A}.exe

Filesize
197KB

MD5
b24672fc1c685d112d6cd9f060e78546

SHA1
80c2f2d6ff52d2ce409f7952b03cbd5a0dc5052f

SHA256
7a2f0bccc1a99639907101f891d50217a97af96202eccdc0df82d1186e44f953

SHA512
033572dc1561ccecf356c61ffd16f465a860764048dbf94d0693e0bacf13586374242bb20ea50fa93c7e138186eb435fe115b8af614da5060bf3f42ac1fde529

Download Submit
C:\Windows\{EB6E8DB9-B9CD-48ca-ACB2-ACF63F08771D}.exe

Filesize
197KB

MD5
7bc287d8fba7c64f6aca43a97bb6a873

SHA1
cd9302c0be14127968851aea6ef369e6f868082f

SHA256
fa061930749a3bf12a676672394833a3957fbce1594344b17e041f0ce6e05c58

SHA512
775d58f9af6ea4b86d24db30346a9db44ce658ab4ab37793719ac22a3f624c07f6465e8b12d50181c7ae5ca6aa57695af54de24978c17ef312779d0fc4f069a8

Download Submit
C:\Windows\{FD718B92-3488-4158-85A3-8AEF1313AC89}.exe

Filesize
197KB

MD5
2f1e6982a1c010e8435b1c0f946fdc03

SHA1
b9deb099ccf9bc08e0d7a1a0c97df19a79e5c13c

SHA256
0f73c7913a697a8456da2846975d47d6431cea76777648c184f3de42cc16382c

SHA512
e93388f26d2cfd04289ac8d77dea733884c5e8a91590fb7baeefdfbddbcb25f1b725c121b7c07cb27edf64816c0598956300b16cfc37492d805926c5a16bb6b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads